News of further planned changes to UK data protection laws might not sound like welcome news for charities. Most charities spent a significant amount of time and effort getting ready for the introduction of the GDPR in 2018 and, since then, have had to get to grips with more changes following the UK’s exit from the EU.
It’s true that when Michelle Donelan (then Culture Secretary) announced in October last year that the Government planned to replace the GDPR with “a truly bespoke, British system of data protection”, there weren’t many people who welcomed the idea of ripping up the regime we’d only just got used to and starting again.
Fast forward to the publication of the Data Protection and Digital Information (No 2) Bill (DPDI) in March this year, however, and the picture looks more encouraging.
The DPDI is still making its way through Parliament and isn’t likely to become law until later this year or early next year. If enacted, it will amend current UK data protection laws including the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
As currently drafted, here’s a taste of some of the most significant proposals for charities and not-for-profit organisations:
This is probably the most eagerly anticipated change for the charity sector.
The idea is to allow charities to send marketing emails to supporters (or people who’ve expressed an interest in supporting the charity) without the need for opt-in consent.
Obtaining consent to send electronic marketing messages (such as newsletters or information about upcoming events) is one of the biggest challenges for charity fundraising and marketing teams. If this change does come into effect it would give most charities the ability to contact a large cohort of people that are currently difficult to reach, as long as they’re given a simple means of opting out.
Lots of charities rely on the ‘legitimate interests’ condition to process people’s personal data, but some nervousness remains about using legitimate interests in certain contexts, particularly to share personal data with third parties.
Helpfully, the DPDI would introduce new “recognised legitimate interests” to cover specific situations, including safeguarding vulnerable individuals. Where personal data needs to be processed in one of these recognised scenarios, charities wouldn’t need to carry out a legitimate interests assessment or satisfy the ‘balancing test’.
Current rules require opt-in consent from website and App users to use any “non-essential” cookies (analytics cookies, for example, aren’t currently deemed to be essential). This is set to change so that cookies which pose a low risk to privacy (such as security updates, functionality, and analytics cookies) will no longer require opt-in consent.
The requirement for most charities to keep records of processing activities (or ROPA) will be removed in all but high risk situations. We’re yet to find out exactly what the threshold for high risk processing will be, but this is likely to mean that a lot of charities will no longer be legally required to maintain ROPA.
While this might sound like a welcome reduction in the administrative and compliance burdens on charities, organisations will still need to understand when, how and why they’re collecting people’s personal data, how they’re using it, who they’re sharing it with, how long they’re keeping it etc., so in practice some form of regular audit and record keeping is still likely to be required.
The DPDI also includes other proposed changes that may affect certain charities including: an updated definition of what counts as scientific research for data protection purposes; the removal of the Data Protection Officer role; and changes to rules on automated decision making.
As the DPDI isn’t yet law, charities shouldn’t make any changes to their current data compliance practices.
Given how significant some of the proposed amendments could be for the sector, however, charities may wish to start planning in order to be able to make the most of opportunities as/when the new laws come into effect – particularly those changes that would open up new fundraising and marketing opportunities.
We will continue to provide updates on the passage of the DPDI and the resulting changes to data protection law.
Our specialist charity lawyers can advise you across a range of issues, from setting up a charity, entering into a new lease or contracts, to advising on a merger or campaign. For more information please contact a member of the team on (020 3826 7510) or complete our online enquiry form.
)Access all our articles and search the provider directory for free.